After the many emails I’ve had about this, it seemed only appropriate to write up a detailed post (or two actually) about how to resolve this.

You will hit this problem when using the Hyper-V Vista management tools connecting to a remote Windows Server 2008 machine with the Hyper-V role enabled, and where both machines are in a workgroup (or in a domain environment where you genuinely don’t have access - but that's another blog entry).

There are several additional configuration steps you need to complete to make remote management work in a workgroup environment.

Step 1 (On Client and Server)

Make sure you are using a username and password which matches between the client and the server. For this walkthrough, I created an account with the username “john” with the same password on both machines. The “john” account is not an administrator on the server machine, but is an administrator on the client machine (for convenience).

Make sure the command is successful and responds Updated 4 rules(s). Ok.

Note: The string in quotes must match the group name defined in the Windows firewall itself. So if you are running a non-English language server, you will need to verify what group name this is.

If you now open “Windows Firewall with Advanced Security” from Administrative Tools on the start menu, you will notice four rules, three inbound and one outbound have been enabled. (It helps to sort by Group)

Step 3 (On Server)

This step grants appropriate DCOM (Distributed COM) permissions to the user(s) who are remotely connecting. Depending on your circumstances, you can add the individual users (they must obviously have an account already on the server), a group, or you can allow all users by select the “Authenticated Users” group.

Open Component Services by typing “dcomcnfg” in the box on the start menu, and expand the menu so that “My Computer” is selected under Component Services\Computers.

In the above dialog, click Edit Limits in the “Launch and Activation Permissions” area (not to be confused with the Edit Limits in the “Access Permissions” area).

Click “Add…” and enter the users (or groups including “Authenticated Users” as appropriate)

Click OK, then select the added user or group

In the Allow column, select Remote Launch and Remote Activation, then click OK.

Close Component Services

Step 4 (On Server)

This step grants appropriate WMI permissions to the user(s) who are remotely connecting. You need grant access to two namespaces, and, as in step 3, you can add individual users, group(s) or the “Authenticated Users” group.

Open Computer Management under Start/Administrative Tools, expanding the tree down through Services and Applications\WMI Control. Select WMI Control

Right-click on WMI Control and select properties. Then switch to the Security tab. Select the Root\CIMV2 namespace node.

IMPORTANT: You need to set the security twice. Once for the Root\CIMV2 namespace, and then again for the Root\virtualization namespace.

Click the Security button. If the appropriate user or group does not already appear, use “Add…” as you did in Step 3 above to add them.

Now select the user and click the Advanced button below the “Permissions for <user>” area.

Again, make sure the user/group is selected and click Edit

You need to make three changes here:

In the “Apply to:” drop-down, select “This namespace and subnamespaces”

In the Allow column, select Remote Enable

Check “Apply these permissions to objects and/or containers within this container only”

The screen should look like below. If so, click OK through the open dialogs.

Repeat for the Root\virtualization namespace

Click OK as appropriate to confirm all open dialogs and close Computer Management.

Step 5 (On Server)

This step configures the Authorization Manager (AZMan) policy for the server running the Hyper-V role. I am assuming in this walkthrough, you are using the in-box default policy and have not re-configured anything at this stage.

Open Authorization Manager by typing “azman.msc” in the box on the start menu.

Right-click on the Authorization Manager and choose Open Authorization Store from the context menu.

Make sure the “XML file” radio button is selected, and browse to the \ProgramData\Microsoft\Windows\Hyper-V directory on the system drive and select InitialStore.xml, then click OK.

I’m going to keep this walkthrough as simple (!) as possible, and making my “john” account an Administrator in the context of Hyper-V authorization policy. Expand the tree down through InitialStore.xml\Hyper-V services\Role Assignments\Administrator, and select Administrator.

In the area on the right, right-click and select “Assign Users and Groups” then “From Windows and Active Directory…”.

Add the appropriate users or groups (here you can see the “john” account)

Close the Authorization Manager MMC.

IMPORTANT. You must now reboot your server for the above changes to take effect.

Kent – there’s nothing I can spot wrong with the configuration – the length of the computer name should not matter. Are you *sure* you have the right password set in cmdkey on the client for the account "mhyperkmorstain" on the server, and that the password is not null (blank). If you have a blank password, you need to set a password on the server, and recreate the cmdkey entry.

You can verify access to the server by running wbemtest from the client and hitting connect, entering \mhyperrootcimv2 in the namespace, and entering the credentials mhyperkmorstain in the user, plus the password of the kmorstain account on the *server*. Does this connect OK? If so, hit the "query" button and enter (no quotes) "select * from win32_computersystem" then apply. Do you get one record returned? (Win32_computerSystem.Name="mhyper").

Mike – I’m not sure I understand your point. Hyper-V server is like Windows Server 2008 server core installation – there is no GUI. You have to manage both remotely if you want to use GUI tools which is what this (and the other 4 posts) are about. I recommend though you use HVRemote (link at top) as that makes the process much simpler.

Shiva – I would absolutely not recommend deploying a Hyper-V server directly open to the Internet, especially the management interfaces. General RDP clients will not be able to connect over RDP using port 2179 – although VMConnect uses the RDP protocol, the connection establishment is not the quite the same.

If you need to deploy directly to the Internet, I would recommend you look at building out a Terminal Service Web Access/Gateway protected behind an ISA server (I have previously run through configuring exactly this on my blog, last year IIRC). It would be far more secure.

Exhotic Hadron – to the best of my knowledge, there was no issue on M3 builds running both Hyper-V and the Management client together on a single box. Unfortuantely though, I don’t have any boxes around any more still running M3 (we’ve moved way past that) to verify.

Kent – please post back the output from both client and server of hvremote /show /target:othercomputername. Please first though follow the troubleshooting steps (particularly the client) if it fails from steps 3 onwards.

Ryan – what changed from working to now getting the error – in particular, you mention about passwords being in sync, so could this be tied to that and there’s been a typo on syncing the passwords, especially as you indicate you are getting MMC failures too? It doesn’t sounds like it’s Hyper-V specific, in other words. Are you using cmdkey to set credentials on the client to authenticate to the server?

Lduval – I’ll add it to a list, but I should be up front and say it may be some time off yet. However, you should still be able to run from the command prompt in Hyper-V server net localgroup "Distrubuted COM Users" <username> /add to solve this.

Scott – it would be helpful for diagnosis or ease of configuration (unless you really want to do the steps manually) to use HVRemote instead. The link is at the top of the page. Follow that, take a look at the documentation and if you still have problems, please post back the output of hvremote /show on both the client and the server.

Fábio & Impactro – please use HVRemote (link at top of article), or see other parts of this series which explain how to perform the steps manually on core. However, I strongly recommend you use HVRemote.

@Sebastien – actually, no that is not correct. This does work on server core with a few variations. Give me a couple of days – I’m documenting the exact steps and will be posting it up soon. (And part 3 really IS a valiant effort. You’ll see why when you see it!!!)

Shiva – no this is not possible in Hyper-V through VMConnect. To the best of my knowledge, it is not possible in RDP, but that’s outside of my area of authoritative expertise. You may want to ask that question on one of the Technet Windows Server forums.

Can you run hvremote /show on both the server and the client? You shouldn’t need to add the /debug – I’ll almost certainly get everything I need from just the /show with the v0.3 version you’re running.

This is failing because you have incorrect stored credentials from the client to authenticate to the server. From the client output:

——————————————————————————-

Stored Credentials

——————————————————————————-

Currently stored credentials:

Target: morstainhyperv

Type: Domain Password

User: morstainhypervaccount

The server output indicates that you have created and granted an account "morstainhypervkmorstain" access. On the client use cmdkey to remove the currently stored credentials and replace them with morstainhypervkmortain.

Tim – Just so I understand your scenario. You have a box running Hyper-V which is a full install (as opposed to server core). You are using a TS session (mstsc) to log on to the server and/or using a KVM as-if you were sitting in front of the server console to log on to it. From there, you’re running Hyper-V Manager and getting the permission error.

Are you an administrator on the machine, or if not, have you granted your account the appropriate permissions in AZMan?

Yes, this is expected. Saved states are not compatible between 2008 and 2008 R2. You need to cleanly shut down the machines in 2008 before export. You should also merge any online snapshots as these have an implicit saved state in them too.

Kent – please post back the output from both client and server of hvremote /show /target:othercomputername. Please first though follow the troubleshooting steps (particularly the client) if it fails from steps 3 onwards.

You’re logged on to client as zeusvmcmd, but there’s several bits missing from the server side. Client looks good.

You should simply need to run hvremote /add:vmcmd on the server and reboot (possibly) both sides, depending on whether there are active connections outstanding. You also need to make sure the vmcmd user password is the same on both sides as this is a workgroup.

Franck – this is part of our Authorization Manager (AZMan) infrastructure. More information on this will be available in the official documentation very soon. It’s also something that my colleague Ben (http://blogs.msdn.com/virtual_pc_guy) was looking to provide some unofficial (ie blog) information on soon.

Mike (Brown) – are you using SCVMM or the in-box UI? I’m wondering this due to some of the terminology you are using. Currently SCVMM is incompatible with Hyper-V RC1, so that could be the cause of the issue. If you are using the inbox UI, please let me know and I’ll assist you working out what’s wrong.

Shiva – wow, I thought I’d heard every question there possibly could be was relating to remote management of Hyper-V. But you’ve stunned me with this one!

Does this happen every time? When you say restart – as in blue screen, or graceful reboot? In either case, is there anything in the event logs? If a blue-screen, do you have a memory dump file we could analyse? Have you seen the server exhibit similar behaviour at any other time, or is only when using VMConnect?

John, Great detailed information and walk-through! Thank you for your time and sharing it.

However, I have not been able to connect and I am getting the same "WMI:Access Denied" issue as Derek mentioned above with the difference that I am running Vista on my physical laptop.

My laptop is joined to the domain of business coorporation and the Windows Server 2008 is part of a workgroup at my home. I have followed allthe steps to the letter. The Remote Server Administration Tools for the Hyper-V Tool is also enabled and the properly allowed through firewall extensions. I can Remote Desktop to the server just fine and as extra caution I have added the server IP address to my "hosts" file as well. when i try to connect to the server from Vista Hyper-V Manager, after few seconds, I get "the operation on computer ‘<the server IP address>’ failed.

Any idea, what is missing?

BTW, I initially posted this comment by mistake to Part 3 which is for Core installation. I have full WIN2K8 installation.

John, further to my note above, I learned that possibly the firewall setting on my laptop is blocking the inbound communication. These firewall settings are controlled by the firewall rules in the Local Security Policy. I even cannot ping my laptop from the WIN2K8 server and get timed out while on the other hand I can do remote desktop to the server from my laptop.

Do you know what inbound or outbound firewall rules I need to enable in order to get Hyper-V Manager on my Vista laptop (joined to a domain) communicate with my WIN2K8 server (on a local work group)?

I have installed Hyper-V on Windows Server 2008 Core. I have installed the Hyper-V Manager in my Windows Vista Client

The Server and Vista are connected in a domain, also I have administrator rights on both boxes.

My Windows Firewall is turned off in Vista box, I am able to connect to the core server using Hyper-V Manager, but it alwasys says the "The Operation on Computer ‘servername’ Failed". I see all the options active but I am unable to create a new Virtual Machine on the server or cofigure VM Switch

I went through all five of your series and followed all the steps and am still getting the same error.

When I tried to approach KB950050 and KB966589 patches, it says it does not apply to the system.

Could you please write a similar guide for "Hyper-V Server 2008" (Baremetal). I can’t apply this one to connect with Vista on an Hyper-V in Workgroup BECAUSE there is nothing like DCOMCNFG in "Hyper-V Server 2008" (which is not a real Core Server).

I am having these problems connecting to vmms (Virtual Machine Management) service on server! I am running the Hyper-V Manager snap-in under the default Administrator account which is as always a member of BUILTINAdministrators group.

But when I selecct in the Hyper-V Manager, I get the snap-in connecting to the service and then the notorious "You might not have permission to perform this task". (No message to contact administrator or whoever it might be)

This is observed on PDC build of Windows Server 2008 R2 (Windows Server 7). Any clue?

I checked all the permissions for WMI and DCOM and they are all FULL CONTROL for BUILTINAdministrators.

I installed both the Hyper-V role AND the RSAT-Hyper-V feature. Could it be that I should NOT to install RSAT on the same computer where I am running the Hyper-V role?

Quite interesting, I was unable to install Hyper-V role using the Server Manager snap-in. I was getting errors from UI reported by CLR debugger.

I was lucky to install the role only after I tried ServerManagerCMD.exe -install Hyper-V -allSubFeatures -restart

Any clue how to get this working?

BTW, this is what I get in Event Viewer

Log Name: Microsoft-Windows-Hyper-V-VMMS-Admin

Source: Microsoft-Windows-Hyper-V-VMMS

Date: 11/30/2008 7:32:59 AM

Event ID: 14098

Task Category: None

Level: Error

Keywords:

User: SYSTEM

Computer: Server7

Description:

One or more driver required by the Virtual Machine Management service is not installed or is disabled. Try reinstalling the Hyper-V role.

If you’re free we’d love to have you this year (late Oct.) at Tulsa TechFest where you could present to about 500 people. Just let us know if you should have the time (another vacation maybe ;<) ) to be here.

does anyone know about the standalone install of Hyper-V server? I have installed it and read everything i can, but i can not connect. I have the Hyper-V server installed, configured the name and IP (non domain) set the user and on my Vista SP1 computer with Hyper-V server tried to connect (same user name as server). I can not ping the HV server, but the HV server can ping my laptop. I have tried the commands on these pages by my Hyper-V server does not recognise most of the commands, such as netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

I followed the instructions and I am able to remotely configure Hyper-V from a Vista machine that is in the same domain as the server. I can create, start and stop VMs. However, I cannot connect to one, the server asks me for username and password and rejects everything I try, even admin account. What priviledge is required to _connect_ to a VM?

All other solutions ive tested use the same principal. You install the server then you connect against the server using the current server ip. When asked you enter credentials and voila.

I cant for my life understand how MS can release a free tool like hyper-v and the make it impossible(or just very difficult) to use at home or in a closed testing environment where you most often dont sit on DNS and DOMAIN servers.

Just trying out the new Hyper V r2 RC with Windows 7 and the RSAT tols. I get the same error as mentioend originally for the Hyper V (Release 1). The requriement to do enabled and follow all the instructions above shoudlnt be requried should it?

If so using htis product in a DMZ environment will be very very painful, let alone an internal network.

We are facing a situation in VM Connect. We have a HyperV Server hosting VM’s and this Host Server is available over the internet. Therefore any client machine with RDP Client will be able to connect to a VM via port 2179. The question is if the client machine is behind a firewall, is it require that the firewall has to open port 2179? Also if the server is behind a firewall, is there any specific settings to be taken care? if you have any informaton related to this please share with us as this will be of great help to us.

We were trying to make a VMConnect from a Windows Server 2008 (A) to a Hyper-V VM hosted on another Windows Server 2008 box(B). When we close the application, Windows Server 2008 (A) system restarts!! Please let me know if you have any thoughts on the same.

In our environment we are using a work group server and domain connected clients. We hacve 2 people who use a vista client to remotely manage a server core. Everything was working. we now both get "You do not have the required permission to complete this task. " The passwords are kept up to date from our laptops to our server. We can not only not manage hyper-v but we cannot use any remote management mmc’s. This was originally setup using your guide and i have since tried to confirm settings using your hvremote.wsf routine on server and workstion. I have not gotten a chance to restart the server to see if this solves the issue as there are production vm’s on the system. Any suggestions?

In VMRC connections to Virtual server based VM’s, multiple connections to the same virtual machine is possible. Is there a similiar feature in RDP Connectivity to Hyper-V based VM’s? Please let me know if you have any information on the same.

We are trying to Export Virtual machines in a saved state from Windows Server 2008 Enterprise Edition Service Pack 1-Hyper-V Manager Version: 6.0.6001.18016 to Windows Server 2008 R2 Hyper-V Manager Version: 6.1.7600.16385. We are facing a problem while trying to start the imported machine. (Error: Saved State file version is incompatible). Is this expected? Is there a solution to this problem?

I have since day one been able to use Hyper-V Manager to connect, but i (lately) have been attempting to use a different desktop (Vista) other than my laptop, but have failed in every atteempt. i get the dreadfully "RPC server unavailable. Unable to establish communication between ‘Hyper-V Server’ and ‘MyClient’.

Please note that my laptop continues to function, thank God!.

Please let me know what i can do to facilitate some assistance with this issue?

I got the ‘WMI access denied’ error, and then followed all the steps as described in this wonderful article, however I never managed to fixed the problem with everything given in this article/comments…

I followed everything in multiple iterations, but couldn't make remot managemtn of HyperV server work from another Windows 2008 R2 with HyperV role. The only way it can work is if I disable the firewall on HyperV Server completely. I set the WMI permissions, firewall rules and what not.

Hi, very helpfull! It works also for Windows 7 SP1 Hyper-V Client for Windows Server 2012. After the settings the VMs are in "Saved" mode and did not starts. More details see here: support.microsoft.com/…/2249906

Thank you so much. I was struggling with this for 4 hours. I was thinking my powershell script was bugged with problem with WMI, or that my DCOM security was wrong. i was in ignorance of hyperv autorizatuon. It worked like a charm!